Uploaded image for project: 'Jira Server and Data Center'
  1. Jira Server and Data Center
  2. JRASERVER-69796

User enumeration through the groupuserpicker api resource - CVE-2019-8449

    XMLWordPrintable

    Details

      Description

      Issue summary

      The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.

      Workaround

      If upgrading Jira to 8.4.0 is not an option for now, then a temporary workaround consists in blocking this API endpoint on the Tomcat side by forcing it to return a 403 error.

      The steps are:

      1. Add to the file <jira-installation-directory>/atlassian-jira/WEB-INF/urlrewrite.xml the rule below, which will return a 403 error whenever someone who is not authenticated via Cookie (IE, normal browser access, or cookie based API calls) calls /rest/api/latest/groupuserpicker:
            <rule>
             	<condition type="session-attribute" name="seraph_defaultauthenticator_user" operator="notequal">.+</condition>
             	<from>^(?s)/rest/api/.*/groupuserpicker</from>
             	<set type="status">403</set>
                	<to>null</to>
            </rule>
        
      1. Re-start Jira

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              13 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: